EYE ON SCIENCE: What’s the password?

Gesture logins provide a new type of electronic security

By STEPHANIE GALL ’14

Staff Columnist

Movement lets us get from point A to point B, express ourselves and now even serves as a security measure. The traditional way of logging into an electronic device or online service typically involves a mixture of digits, punctuation marks and letters. However, Professor Janusz Konrad of Boston University’s College of Engineering was dissatisfied with the level of complexity these digit amalgamations require. So he and a colleague, Professor Prakash Ishwar, developed a means of using gestures for electronic authentication. With a gesture login—like a tennis swing, dance move, or any other gesture of your choice—you can unlock your car or a door. Gestures are difficult to precisely replicate, making them ideal for authenticating a person’s identity.

Konrad’s interest in gestures began a couple of years ago when a student working on video surveillance became interested in whether a camera could recognize a person’s action. If a camera’s software could recognize actions, such as running or pushing someone, there would be less need for people to monitor surveillance cameras around the clock. Around this time, Konrad also learned about the Microsoft product Kinect. Kinect connects to an Xbox and allows users to dance or play games like ping pong without a controller by capturing information about the user’s body. The possibilities of movement and computer interactions got Konrad’s mind rolling about other applications for gestures.

Passwords come in many varieties. The type we encounter on a daily basis is the numerical login, where a sequence of numbers lets you unlock your phone, access your email or open doors. Often, we repeat passwords for the sake of simplicity and use the same login information to access multiple accounts. This repetition increases the risk of theft if an account is hacked.

Konrad cited the LinkedIn scandal that occurred last year as a prime example of how numerical passwords can fail. In June 2012, hackers broke into the professional networking site and leaked 6 million users’ passwords. Because people tend to reuse passwords, this leak had the potential to compromise the security of multiple accounts. Clearly, a different type of security was needed.

Biometric logins, which identify an individual by his or her physical traits, have also been implemented in security equipment. For example, your fingerprint might unlock your laptop, or a retinal scan might let an employee into a secured area. As secure as these measures may seem, they are not foolproof. Even facial scans don’t guarantee security, since a printed picture from Facebook, when held in front of a laptop camera, can unlock the device just as well as if the actual person were sitting there.

“The problem with biometrics is that they are not renewable,” Konrad said. “This means that once someone steals your face, in a sense, or your fingerprint, you cannot replace it. You cannot change your biometrics and that is important for security because break-ins will happen sooner or later.”

Gestures, on the other hand, are renewable, meaning that if your gesture is compromised, you can simply change the gesture. After attending a lecture about finger swipe authentications on tablet surfaces, Konrad and Ishwar decided to extend the idea to three-dimensional gestures. Gestures make ideal passwords for several reasons. First, our gestures are unique. “Gesture replication is very difficult even for people with identical builds and heights because we are very individualistic in our movements,” Konrad said. Our movements depend on our body structure—the length of our arms and legs, the separation between joints—which is difficult to imitate. But even if two people have similar body types and one person watches another person perform a gesture, it’s not easy for the imitator to exactly emulate the other person’s mannerisms.

The main issue, Konrad points out, is the balance between maintaining tight security and allowing for some error in the gesture’s performance. “Your gesture may change depending on the time of day, the clothing you are wearing or whether your arm is hurting,” Konrad explained. “If we make security very strict, there may be some inconvenience. You may need to perform the gesture twice or three times. But if you want the system to be very easy to use, you may lose the security.”

You may be wondering what happens if you forget the gesture you selected as your login. Unlike a digit pass code, a reminder of your gesture can’t be sent over email. Instead, you provide a hint that is descriptive of the movement. Konrad sees gestures being used along with usernames to enhance security. By combining a claim of your identity, through the username, with a gesture to authenticate your identity, the likelihood of anyone being able to replicate your login decreases dramatically.